| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
This query can never be answered, so let's no wait for it to timeout.
|
| |\
| |
| | |
cryptsetup: fix build without TPM2
|
| | |
| |
| |
| | |
Follow-up for acbb504eaf1be51572b1c0d0d490ac478bc41c64
|
| | | |
|
| |\ \
| | |
| | | |
sd-id128: introduce id128_get_machine() and _at()
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If a root directory is specified, and e.g. /var under the root directory
is a symlink to the host's /var, then we wrongly read host's machine ID,
even if O_NOFOLLOW is set.
Let's chase the path with CHASE_NOFOLLOW to refuse such case.
Also, refuse null ID, otherwise we may setup machine ID with NULL.
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Then, use id128_get_machine().
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously, when the NULL (all zero) machine ID is configured in the
container, nspawn refused to execute.
Now id128_get_machine() is used, so NULL machine ID is refused with
-ENOMEDIUM, and fallback to specified UUID or randomly generated one.
|
| | | |
| | |
| | |
| | |
| | | |
This also makes that the seed is actually randomized when the read
machine ID is NULL.
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | |/
|/|
| |
| |
| | |
parse_boolean_argument() returns the same information via both the output
argument and normal return.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes:
- Comment style
- Alignment style
- cleanup macro usage
- incorrect error message[1]
1. Thanks to tempusfugit991@gmail.com for pointing out the error
message mistake.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
| | | |
|
| |\ \
| |/
|/| |
Improvements to man pages for systemd.service, sd-bus, and better error messages
|
| | |
| |
| |
| |
| | |
Also add definitions for a few names that didn't have them and update
the list in the man page.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I was changing how some properties are appended to the StartTransientUnit call
and messed up the message contents. When something is wrong with how the
message is structed, we would return a very generic
"Failed to start transient service unit: No such device or address".
Mention that it was property setting that failed, and translate ENXIO to a
different message. bus_unit_set_properties() or any of the children it calls
may also return other errors, in particular EBADMSG or ENOMEM, but the error
message that is generated for those is understandable, so we don't need to
"translate" them explicitly.
bus_unit_set_properties() is called from two places, so it seems nicer to
generate the message internally, rather than ask the caller to do that. Also,
now bus_unit_set_properties() always sets <error>, which is nicer for the
callers.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
After 'if (DEBUG_LOGGING)' is added, the two call sites are almost identical,
except that we forgot LOG_UNIT_INVOCATION_ID(unit).
I removed the handling of the log_oom(). It's a debug message only after all,
and it's unlikely to fail.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The function had a provision for NULL input, and would return NULL, but that
looks like an error and all callers pass in a non-NULL arg and report oom on
NULL. So assert that the input is non-NULL.
All callers specifed the output buffer, so we can simplify the logic to only
make an allocation if appropriate and change the return type to 'const *'.
No functional change.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I was testing transient units and user@.service crashed. I restarted it, and
tried to create a transient unit. It failed because
/run/user/1000/systemd/transient/ remained after the previous aborted run:
Failed to start transient service unit: Unit run-u0.service was already loaded or has a fragment file.
Remove the directory during initial startup so we don't get confused by our own
files.
|
| | | |
|
| |\ \
| | |
| | | |
undefined
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
As the flag is not only for formatting.
|
| | | | |
|
| | | |
| | |
| | |
| | | |
This reverts commit 830e52caa2bf1a29f56cb93e7ed85acb1bda11c3.
|
| |/ /
| |
| |
| | |
Fixes a bug introduced by 63bfd52f48a772c86ff84e3a1ba1fcd19e0008f8.
|
| | |
| |
| |
| | |
TODO.
|
| |\ \
| | |
| | | |
Trivial cleanups
|
| | | | |
|
| | | | |
|
| | | | |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If we created the dir successfully, we let chmod_and_chown_at() do its thing
and shouldn't go into the part where we check if the existing directory has the
right permissions and ownership and possibly adjust them. The code was doing
that, by relying on the fact that chmod_and_chown_at() does not return -EEXIST.
That's probably true, but seems unnecessarilly complicated.
Follow-up for c1b1492a94b43ca636eb383c3b058feff27ff7b1.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
For future-proof reasons, in case we will add
another option that starts with --deserialize.
Addresses https://github.com/systemd/systemd/commit/4f44d2c4f76922a4f48dd4473e6abaca40d7e555#r107285603
|
| |/
|
|
|
| |
When invoked by udevadm verify, warn about rules that have PROGRAM
assignments specified after RESULT checks.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prevent attackers from spoofing the tpmKey portion of the AuthSession by
adding a trusted key to the LUKS header metadata. Also, use a persistent
object rather than a transient object.
This provides the following benifits:
1. No way to MITM the tpmKey portion of the session, see [1] for
details.
2. Strengthens the encrypted sessions, note that the bindKey could be
dropped now.
3. Speed, once it's created we just use it.
4. Owner Auth is needed to call create primary, so using the SRK
creates a scratch space for normal users.
This is a "first to set" model, in where the first person to set the key
in the LUKS header wins. Thus, setup should be done in a known good
state. If an SRK, which is a primary key at a special persistent
address, is found, it will use whatever is there. If not, it creates an
SRK. The SRK follows the convetions used through the tpm2-software
organization code on GitHub [2], however, a split has occured between
Windows and Linux with respect to SRK templates. The Linux SRK is
generated with the unique field size set to 0, in Windows, it properly
sets the size to key size in bytes and the unique data to all 0's of that
size. Note the proper templates for SRKs is covered in spec [3].
However, the most important thing, is that both SRKs are passwordless,
and thus they should be interchangable. If Windows is the first to make
the SRK, systemd will gladly accept it and vice-versa.
1. Without the bindKey being utilized, an attacker was able to intercept
this and fake a key, thus being able to decrypt and encrypt traffic as
needed. Introduction of the bindKey strengthened this, but allows for
the attacker to brute force AES128CFB using pin guesses. Introduction of
the salt increases the difficulty of this attack as well as DA attacks
on the TPM objects itself.
2. https://github.com/tpm2-software
3. https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
Fixes: #20668
Fixes: #22637
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
| |\
| |
| | |
Ensure sysexts do not contain an os-release file, do not load sysexts from /usr[/local]/lib/extensions/
|
| | |
| |
| |
| |
| | |
sysexts are not supposed to ship os-release files, enforce this
when loading them
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
sysexts are meant to extend /usr. All extension images and directories are opened and merged in a
single, read-only overlayfs layer, mounted on /usr.
So far, we had fallback storage directories in /usr/lib/extensions and /usr/local/lib/extensions.
This is problematic for three reasons.
Firstly, technically, for directory-based extensions the kernel will reject
creating such an overlay, as there is a recursion problem. It actively
validates that a lowerdir is not a child of another lowerdir, and fails with
-ELOOP if it is. So having a sysext /usr/lib/extensions/myextdir/ would result
in an overlayfs config lowerdir=/usr/lib/extensions/myextdir/usr/:/usr which is
not allowed, as indicated by Christian the kernel performs this check:
/*
* Check if this layer root is a descendant of:
* - another layer of this overlayfs instance
* - upper/work dir of any overlayfs instance
*/
<...>
/* Walk back ancestors to root (inclusive) looking for traps */
while (!err && parent != next) {
if (is_lower && ovl_lookup_trap_inode(sb, parent)) {
err = -ELOOP;
pr_err("overlapping %s path\n", name);
Secondly, there's a confusing aspect to this recursive storage. If you
have /usr/lib/extensions/myext.raw which contains /usr/lib/extensions/mynested.raw
'systemd-sysext merge' will only pick up the first one, but both will appear in
the merged root under /usr/lib/extensions/. So you have two extension images, both
appear in your merged filesystem, but only one is actually in use.
Finally, there's a conceptual aspect: the idea behind sysexts and hermetic /usr
is that the /usr tree is not modified locally, but owned by the vendor. Dropping
extensions in /usr thus goes contrary to this foundational concept.
|
| | |
| |
| |
| |
| | |
It will be used for other extension DDI validation, not just for extension-release
validation
|
